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-Abstract- 

The An calculus can be extended with rewrite rules to embed any functional pure type system. 
In this paper, we show that the embedding is conservative by proving a relative form of normal¬ 
ization, thus justifying the use of the AH calculus modulo rewriting as a logical framework for 
logics based on pure type systems. This result was previously only proved under the condition 
that the target system is normalizing. Our approach does not depend on this condition and 
therefore also works when the source system is not normalizing. 
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[Y] Introduction 

The An calculus modulo rewriting is a logical framework that extends the AH calculus HU] 
with rewrite rules. Through the Curry-de Bruijn-Howard correspondence, it can express 
properties and proofs of various logics. Cousineau and Dowek introduced a general 
embedding of functional pure type systems (FPTS), a large class of typed A-calculi, in the 
An calculus modulo rewriting: for any FPTS XS, they constructed the system An/S' using 
appropriate rewrite rules, and defined two translation functions \M\ and |jA|| that translate 
respectively the terms and the types of XS to An/S'. This embedding is complete, in the 
sense preserves typing: if F \-\s M : A then ||F|| Fah/s I-^I : ll^ll- From the logical 
point of view, it preserves provability. The converse property, called conservativity, was 
only shown partially: assuming An/S' is strongly normalizing, if there is a term N such that 
l|r|| Fah/s N : ||A|| then there is a term M such that F Fas M : A. 

Normalization and conservativity 

Not much is known about normalization in An/S'. Cousineau and Dowek [B] showed that 
the embedding preserves reduction: if M — > M' then |M| —>■+ \M'\. As a consequence, if 
An/S' is strongly normalizing (i.e. every well-typed term normalizes) then so is XS, but the 
converse might not be true a priori. This was not enough to show the conservativity of the 
embedding, so the proof relied on the unproven assumption that An/S' is normalizing. This 
result is insufficient if one wants to consider the All calculus modulo rewriting as a general 
logical framework for defining logics and expressing proofs in those logics, as proposed in 
HIS]. Indeed, if the embedding turns out to be inconsistent then checking proofs in the 
logical framework has very little benefit. 
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Conservativity of embeddings in the ATI calculus modulo rewriting 


Consider the PTS XHOL that corresponds to higher order logic [T]: 

S = Prop, Type, Kind 
A = (Prop : Type), (Type : Kind) 

TZ = (Prop, Prop, Prop), (Type, Prop, Prop), (Type, Type, Type) 

This PTS is strongly normalizing, and therefore consistent. A polymorphic variant of XHOL 
is specified by U~ = i70L+(Kind,Type,Type). It turns out that XU~ is inconsistent: there 
is a term uj such that Pac/- ^ • Ilcr: Prop, a and which is not normalizing [T]. We motivate 
the need for a proof of conservativity with the following example. 

► Example 1.1. The polymorphic identity function I = Aa:Type. Xxia.x is not well-typed 
in XHOL, but it is well-typed in XU~ and so is its type: 

\-\u- I ■ Ha: Type, a —>■ a 

\-xu- no:Type, a —> a : Type 

However, the translation |/| = Aa: Mjype-Aa::eType a: is well-typed in XIi/HOL\ 

Xn/HOL l-^h na:ttType.eTypeQ: —> ^Type « 

'^XH/HOL flcr . lAXype . ^Xype Q: ^ Cyype Oi . Type 

It seems that XH/HOL, just like XU~, allows more functions than XHOL, even though 
the type of |J| is not the translation of a XHOL type. Is that enough to make XA/HOL 
inconsistent? 

Absolute normalization vs relative normalization 

One way to answer the question is to prove strong normalization of An/S' by constructing 
a model, for example in the algebra of reducibility candidates [3]. Dowek [7j recently con¬ 
structed such a model for the embedding of higher-order logic (XHOL) and of the calculus 
of constructions (AC). However, this technique is still very limited. Indeed, proving such a 
result is, by definition, at least as hard as proving the consistency of the original system. It 
requires specific knowledge of XS and the construction of such a model can be very involved, 
such as for the calculus of constructions with an infinite universe hierarchy (AC°°). 

In this paper, we take a different approach and show that An/S' is conservative in all 
cases, even when XS is not normalizing. Instead of showing that An/S' is strongly normaliz¬ 
ing, we show that it is weakly normalizing relative to XS, meaning that proofs in the target 
language can be reduced to proofs in the source language. That way we prove only what 
is needed to show conservativity, without having to prove the consistency of XS all over 
again. After identifying the main difficulties, we characterize a PTS completion dZlIIS] 
containing S, and define an inverse translation from An/S' to XS*. We then prove that XS* 
is a conservative extension of XS using the reducibility method m- 

Outline 

The rest of the paper is organized as follows. In Section we recall the theory of pure type 
systems. In Section we present the framework of the AH calculus modulo rewriting. In 
Section]^ we introduce Cousineau and Dowek’s embedding of functional pure type systems 
in the AH calculus modulo rewriting. In Section we prove the conservativity of the 
embedding using the techniques mentioned above. In Section]^ we summarize the results 
and discuss future work. 
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Declaration Variable 

r hAs A : 5 x^V WFA 5 (r) (ai : A) e r 

WFAs(r,ai:A) F Fas cc : A 

Sort Product 

WFas(F) (si : S2) € a F Fas A: Si F, a; : A Fas -B : S2 (si, S2, S3) G 7 ^ 
F Fas si : S2 F Fas Ha: : A. i? : S3 

Abstraction Application 

F,a;:AFAsM:B F Fas Hcc: A. B : s V'^xs M-.lix-.A.B F Fas iV : A 
F Fas Ax:A.M : na;:A.S F Fas M: B[a;\ 7 V] 

Conversion 

F Fas M ■. A F Fas B ■. s A=p B 
F Fas M : B 


Empty 

WFas(-) 


■ Figure 1 Typing rules of \S 


Pure type systems 

Pure type systems [T] are a general class of typed A-calculi parametrized by a specification. 

► Definition 2.1. A PTS specification is a triple S = {S,A,Tl) where 
H 5 is a set of of symbols called sorts 

. A C 5 X S is a set of axioms of the form (si : S2) 

. 7 ^ CiSxiSxiSisa set of rules of the form (si, S2, S3) 

We write (si,S2) as a short-hand for the rule (si,S2,S2). The specification S is functional 
if the relations A and TZ are functional, that is (si, S2) G A and (si, S2) G A imply S2 = S2, 
and (si,S2,S3) G TZ and (51,32,33) G TZ imply S3 = S3. The specification is full if for all 
si, S2 G S, there is a sort S3 such that (si, S2, S3) G TZ. 

► Definition 2.2. Given a PTS specification S = {S,A,TZ) and a countably infinite set of 
variables V, the abstract syntax of XS is defined by the following grammar: 

(terms) T ::= S \ V \ TT \ XV :T.T \ HV :T.T 

(contexts) C ::= ■ \C,V :T 

We use lower case letters x, y,a,l 3 ,... to denote variables, uppercase letters such as M, N, 
A, B,to denote terms, and uppercase Greek letters such as F, A, S,... to denote contexts. 
The set of free variables of a term M is denoted by FV (M). We write A ^ B for fix: A. B 
when X ^ FV (B). 

The typing rules of XS are presented in Figure [l] We write F F M : A instead of 
F Fas M : A when the context is unambiguous. We say that M is a T-tcrm when WF(F) 
and F F M : A for some A. We say that A is a F -type when WF (F) and either F F A : s or 
A = s for some s G 5 . We write F F M : A : s as a shorthand for F F M : A A F F A : s. 

► Example 2.3. The following well-known systems can all be expressed as functional pure 
type systems using the same set of sorts S = Type, Kind and the same set of axioms A = 
(Type : Kind): 
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H Simply-typed A calculus (A—t): 

= (Type, Type) 

B System F (A 2 ): 

TZ = (Type, Type), (Kind,Type) 

B An calculus (AP): 

TZ = (Type, Type), (Type, Kind) 

B Calculus of constructions (AC): 

TZ = (Type, Type), (Kind,Type), (Type, Kind), (Kind, Kind) 

► Example 2.4. Let I = AQ!:Type. Xx:a.x be the polymorphic identity function. The term 
/ is not well-typed in the simply typed A calculus but it is well-typed in the calculus of 
constructions AC: 

\-xc I ■ Ila: Type, a —>■ a 

The following properties hold for all pure type systems [T] . 

► Theorem 2.5 (Correctness of types). IfT M : A thenYZY xs{T) and either T A : s 
or A = s for some s G S, i.e. A is a T-type. 

The reason why we don’t always have F n : s is that some sorts do not have an 
associated axiom, such as Kind in Example | 2 . 3 | which leads to the following definition. 

► Definition 2.6 (Top-sorts). A sort s € 5 is called a top-sort when there is no sort s' G S 
such that (s : s') G A. 

The following property is useful for proving properties about systems with top-sorts. 

► Theorem 2.7 (Top-sort types). IfT A : s and s is a top-sort then either A = s' for 
some sort s' G S or A = Tlx: B. C for some terms B, C. 

► Theorem 2.8 (Confluence). If Mi — M2 and Mi —M3 then there is a term M4 
such that M2 —M4 and M3 —M4. 

► Theorem 2.9 (Product compatibility). If Tlx : A. B =p Tlx : A'.B' then A =p A' and 
B=p B'. 

► Theorem 2.10 (Subject reduction). IfT l-;^5 M : A and M — M' then F l-;^5 M' : A. 
Finally, we state the following property for functional pure type systems. 

► Theorem 2.11 (U niqueness of types). Let S be a functional specification. IfT \-\s M : A 
and T l-;^5 M : B then A =p B. 

In the rest of the paper, all the pure type systems we will consider will be functional. 

The An calculus modulo rewriting 

The An calculus, also known as LF and as AP, is one of the simplest forms of A calculus with 
dependent types, and corresponds through the Curry-de Bruijn-Howard correspondence to 
a minimal first-order logic of higher-order terms. As mentioned in Example | 2 . 3 | it can be 
defined as the functional pure type system AP with the following specification: 

S = Type, Kind 

A = Type : Kind 

TZ = (Type,Type), (Type, Kind) 
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Empty 


WFAn/(-) 


Declaration Variable 

rhAn/^:s WF;,n/(r) (a;:A)eS,r 

WFAn/(r,a;: A) F Far/ x : ^ 


Sort Product 

WF;^^/(F) (si : S2) G Fl F A : si V ,x ■. A\-xn_/BS2 (si, S2, S3) G 7 ?. 
r Far/S i : S2 F Far/ na;:>l. S : S3 


Abstraction Application 

V ,x ■. A\-\Yi/M ■. B F Far/H a;: A. i? : s F Far/M : Ha;: A. i? F Far/ iV : A 
F Far/ \x:A.M ■. Ax:A.B F Far/ MN : B[a;\iV] 

Conversion 

r Far/ M ■. a F Far/ S : s A =pii B 
F Far/ M : B 


■ Figure 2 Typing rules of An/(E, R) 


The An calculus modulo rewriting extends the AH calculus with rewrite rules. By equat¬ 
ing terms modulo a set of rewrite rules R in addition to a and [3 equivalence, it can type more 
terms using the conversion rule, and therefore express theories that are more complex. The 
calculus can be seen as a variant of Martin-Lof’s logical framework mm where equalities 
are expressed as rewrite rules. 

We recall that a rewrite rule is a triple [A] M N where A is a context and M, N are 
terms such that FV (N) C FV (M). A set of rewrite rules R induces a reduction relation on 
terms, written — >ji, defined as the smallest contextual closure such that if [A] M N G R 
then a{M) —>ji a{N) for any substitution a of the variables in A. We define the relation 
— >i3R as — >i3 U — >ii, the relation =/? as the smallest congruence containing — >11, and 
the relation =pR as the smallest congruence containing — 

► Definition 3.1. A rewrite rule [A] M -w TV is well-typed in a context S when there is a 
term A such that S, A Far M : A and E, A Far N : A. 

► Definition 3.2. Let S be a well-formed AH context and R a set of rewrite rules that 
are well-typed in S. The AH calculus modulo (S, R), written An/(E, R), is defined with the 
same syntax as the AH calculus, but with the typing rules of Figure]^ We write AH/ instead 
of An/(S,i?) when the context is unambiguous. 


► Example 3.3. Let S be the context 
a : Type, c : a, / : a —>■ Type 
and R be the following rewrite rule 
[•] fc-^Uy.a.fy^fy 
Then the term 


5 = Xx:fc.xcx 
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is well-typed in An/(S,i?): 

^ An/(s,fl) 5 '■ f f c 

Note that the term S would not be well-typed without the rewrite rule, even if we replace 
all the occurrences of / c in (5 by Ily :a. f y ^ f y. 

The system AH is a pure type system and therefore enjoys all the properties mentioned in 
Section]^ The behavior of AH/ (E, R) however depends on the choice of (E, R). In particular, 
some properties analogous to those of pure type systems depend on the confluence of the 
relation — Ypn. 

► Theorem 3.4 (Correctness of types). IfT ^ ^ then WF;),n/(r) and either T \-xn/ 
A : s for some s G {Type, Kind} or A = Kind. 

► Theorem 3.5 (Top-sort types). I/F Fxa/ A : Kind then either A = Type or A = Ilx:B. C 
for some terms B,C such that T,x'. B Fxn/ C : Kind. 

Assuming —is confluent, the following properties hold [ 3 ]. 

► Theorem 3.6 (Product compatibility). If Ax : A. B =i3r Ax : A'. B' then A =pR A' and 
B=pr B'. 

► Theorem 3.7 (Subject reduction). IfT pAn/ AI : A and M — M' then T Pah/ M' : A. 

► Theorem 3.8 (Uniqueness of types). IfT Pah/ M : A and T Pah/ AT : B then A =i3r B. 

4 I Embedding FPTS’s in the All calculus modulo 

In this section, we present the embedding of functional pure type systems in the AH calculus 
modulo rewriting as introduced by Cousineau and Dowek [ 5 ]. In this embedding, sorts are 
represented as universes a la Tarski, as introduced by Martin-L6f m and later developed 
by Luo m and Palmgren m- The embedding is done in two steps. First, given a pure 
type system XS, we construct An/S' by giving an appropriate signature and rewrite system. 
Second, we define a translation from the terms and types of XS to the terms and types of 
An/S'. The proofs of the theorems in this section can be found in the original paper [B]. 

► Definition 4.1 (The system An/S'). Consider a functional pure type system specified by 
S = {S,A,TZ). Define E5 to be the well-formed context containing the declarations: 

Us : Type Vs S 5 

Ss ■ Us ^ Type Vs G 5 

s’l : Us 2 Vsi ■. S 2 G A 

frsiS2S3 : na:usi. (csj a -)■ Us^) -t Us^ V(si, S2, S3) G IZ 
Let Rs be the well-typed rewrite system containing the rules 
[•] £^2 s'l Us^ 
for all Si : S2 G A, and 

[^3,^32S3] £33 {As-is2 S3 a B) Ila;: (£s,^ A). £^2 {B x) 

for all (si,S2,S3) G TZ, where AS3S2S3 = (A : Usi,B : {ssi a —>■ Uss))- The system An/S' is 
defined as the AH calculus modulo {T,s,Rs), that is, An/(E5,i?5). 
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► Theorem 4.2 (Confluence). The relation —ypn is confluent. 

The translation is composed of two functions, one from the terms of \S to the terms of 
An/S', the other from the types of XS to the types of An/S'. 

► Definition 4.3. The translation |M|p of T-terms and the translation ||A||p of T-types are 
mutually defined as follows. 


kir 

l^lr 

|M7V|p 
|Aa;:A.M|p 
\Ilx:A. Sjp 


s 

X 

l-^lr l-^lr 

Xx : II j4||p . |A7|p 

'^siS2S3 l^lr ('^^■ll^llr' 
where T h yl : si 
and T,x A'^ B ■. S2 
and (si, S2, S3) C Ti- 


= Us 


||na;: 24 .B||p = 

Pllr = 


fix: II A||p . ||S|jp^^,^ 

Eg |Al|p where T h A : s 


Note that this definition is redundant but it is well-defined up to =^r. In particular, because 
some T-types are also T-terms, there are two ways to translate them, but they are equivalent: 


^S2 

Ess \Ax:A. Sip 


=pR Usi 

=pR nx:||A||p. ||B|jp^^.^ 


This definition is naturally extended to well-formed contexts as follows. 


||T,x:Al|| = ||T||,x:||A||p 

► Example 4.4. The polymorphic identity function of the Calculus of constructions AC is 
translated as 


|7| — Aq: . T/'PypG* Xx . CXypG Oi. X 
and its type A — Ha:Type, a —>■ a is translated as: 

1^1 — ff'Kind,Type,Type Type (Ag: . liXype ■ |^a|) 

where Aa = a —> a and 

\Aa, I ^Type,Type,Type ^ (Ax . ERyp^ G. ERypg g) 

The identity function applied to itself is translated as: 

\IAI\ = \I\ |Al| |/| 

The embedding is complete, in the sense that all the typing relations of XS are preserved 
by the translation. 

► Theorem 4.5 (Completeness). For any context T and terms M and A, if T \-\s M : A 
then ||T|| l-;^n/s \M\r ■ ll^llr- 


8 


Conservativity of embeddings in the ATI calculus modulo rewriting 


Conservativity 

In this section, we prove the converse of the completeness property. One could attempt to 
prove that if |jr|| I-ah/s l-^lr ■ ll^lir ^ ^ However, that would be too weak 

because the translation \M\-p is only defined for well-typed terms. A second attempt would 
be to define inverse translations if{M) and V'(H) and prove that if T hAn/s Af : A then 
^(r) l-AS ‘p{M) : 'tp{A), but that would not work either because not all terms and types of 
An/S' correspond to valid terms and types of XS, as was shown in Example EH Therefore 
the property that we want to prove is: if there is a term N such that ||r|| bAn/s ^ ■ l|H||p 
then there is a term M such that T Has M : A. 

The main difficulty is that some of these external terms can be involved in witnessing 
valid XS types, as illustrated by the following example. 

► Example 5.1. Consider the context nat : Type. Even though the polymorphic identity 
function I and its type are not well-typed in XHOL, they can be used in XA/HOL to 
construct a witness for nat —>■ nat. 

nat : ujype ^\n/HOL (1-^1 nat) : {sjypenat Sjypenat) 

We can normalize the term |/| nat to Xx: Sjypenat. x which is a term that corresponds to 
a valid XHOL term: it is the translation of the term Xx : nat.x. However, as discussed 
previously, we cannot restrict ourselves to normal terms because we do not know if An/S' is 
normalizing. 

To prove conservativity, we will therefore need to address the following issues: 

1. The system An/S' can type more terms than XS. 

2. These terms can be used to construct proofs for the translation of XS types. 

3. The An/S' terms that inhabit the translation of XS types can be reduced to the transla¬ 
tion of XS terms. 

We will proceed as follows. First, we will eliminate / 3 -redexes at the level of Kind by reducing 
An/S' to a subset AH”/S'. Then, we will extend AS to a minimal completion XS* that 
can type more terms than AS, and show that AH^/S corresponds to AS* using inverse 
translations ‘p{M) and V'(H). Finally, we will show that AS* terms inhabiting AS types can 
be reduced to AS terms. The procedure is summarized in the following diagram. 


, (Lemma|5.3fc 

xn/s- - pWAn-/s 


(Theorem|4.5[l |M| ||^|| 


V(M) 


i}j{A) (Lemma|5.14| 


AS 


(Lenima |5.22[ 

/3* 


Y 

AS* 


5.1 Eliminating /3-redexes at the level of Kind 

In AH/S, we can have ^-redexes at the level of Kind such as (Acc: A. Ug) M. These redexes 
are artificial and are never generated by the forward translation of any PTS. We show here 
that they can always be safely eliminated. 

► Definition 5.2. A T-term M of type C is at the level of Kind (resp. Type) if T h C : Kind 
(resp. r h C : Type). We define AH^/S terms as the subset of well-typed AH/S terms that 
do not contain any Kind-level / 3 -redexes. 
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► Lemma 5.3. For any An/S' context T and T-term M, there is a AH /S term M sueh 
that M — M~. 

Proof. Reducing a Kind-level / 3 -redex {Xx : A.B) N does not create other Kind-level / 3 - 
redexes because N is at the level of Type. Indeed, in the AH calculus modulo rewriting the 
only Kind rule is (Type, Kind, Kind). Therefore N : A : Type. If N reduces to a A-abstraction 
then the only redexes it can create are at the level of Type. Therefore, the number of Kind- 
level / 3 -redexes strictly decreases, so any Kind-level / 3 -reduction strategy will terminate. ◄ 

► Example 5.4. The term 

T\ — Act . nxype• Xx . s^xype ( (A/ 3 . uxype ■ / 3 ) o). x 
is in XIl~ / HOL. The term 

1‘2 — Act . U-Xype■ Xx . ((A /3 . UXype■ ^Xype / 3 ) o). X 
is not in XIl~ / HOL but 

I ‘2 yIS XcX . riXype ■ Xx . Sj^ype^- ^ 

which is in XII~/HOL. 

5.2 Minimal completion 

To simplify our reducibility proof in the next section, we will translate An/S' back to a pure 
type system, but since it cannot be XS we will define a slightly larger PTS called XS* that 
contains XS and that will be easier to manipulate than An/^". 

The reason we need a larger PTS is that we have types that do not have a type, such 
as top-sorts because there is no associated axiom. Similarly, we can sometimes prove T,x : 
A M : B but cannot abstract over x because there is no associated product rule. 
Completions of pure type systems were originally introduced by Severi [mill] to address 
these issues by injecting XS into a larger pure type system. 

► Definition 5.5 (Completion | 16 j). A specification S' = {S', A',71') is a completion of S if 

1 . 5 C C A', C 7 ^^ and 

2 . for all sorts Si S S, there is a sort S2 G S' such that (si : S2) G A', and 

3. for all sorts si, S2 G S', there is a sort S3 G S' such that (si, S2, S3) G TZ'. 

Notice that all the top-sorts of XS are typable in XS' and that XS' is full, meaning that all 
products are typable. These two properties reflect exactly the discrepancy between XS and 
AH”/S'. Not all completions are conservative though, so we define the following completion. 

► Definition 5.6 (Minimal completion). We define the minimal eompletion of S, written S*, 
to be the following specification: 

S* = SU {r} 

A* = AU {(si : r) I Si G S, ^s 2 , (si : S2) G A} 

n* = U {(si,S2,t) I Si,S2 G S*,^S3, (si,S2,S3) G 7 ^} 


where t ^ S. 
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We add a new top-sort r and axioms s : t for all previous top-sorts s, and complete the rules 
to obtain a PTS full. The new system is a completion by Definition |5 . 5| and it is minimal in 
the sense that we generically added the smallest number of sorts, axioms, and rules so that 
the result is guaranteed to be conservative. Any well-typed term of XS is also well-typed in 
AS'*, but just like AII^/S, this system allows more functions than AS. 

► Example 5.7. The polymorphic identity function is well-typed in XHOL*. 


bAffOL* / : Ida: Type, a 


'^XHOL* Ida: Type, a ->■ a : t 

Next, we define inverse translations that translate the terms and types of Ald^/S to the 
terms and types of AS*. 

► Definition 5.8 (Inverse translations). The inverse translation of terms <f{M) and the inverse 
translation of types are mutually defined as follows. 


V?(s) 

= s 

V^('^SiS 2S3) 

= Xa:si. A/3: (a —)■ 

ip{x) 

= X 

(p{MN) 

= f{M) ^(N) 

(p{Xx:A. M) 

= Xx:ip{A). ip{M) 

V'(Ws) 

= s 

V’(es M) 

= ^{M) 

^(IIx: A. B) 

= Ax:'ip{A).'ip{B) 


Note that this is only a partial definition, but it is total for Aid /S terms. In particular, it 
is an inverse of the forward translation in the following sense. 


► Lemma 5.9. For any T-term M and T-type A, 

1 . yp(|M|r) =/3 M, 

2. V'(Pllr) A 

Proof. By induction on M or A. We show the product case where M = Ila; : A. B. By 
induction hypothesis, V?(|A|) A and ip{\B\) =p B. Therefore 


V{\M\) 


= {Xa.\[i.Tlx:a. (3 x) V?(|A|) (Ax. )) 

— Ax:if{\A\).Lp{\B\) 

=p lix'.A.B 


◄ 


Next we show that the inverse translations preserve typing. 

► Lemma 5.10. 

1 . (p{M[x\N]) = <f{M)[x\(p{N)] 

2. i/'(A[x\A^])='!/'(A) [x\(/3(A^)] 

Proof. By induction on M or A. We show the product case A = Ay.B. C. Without loss of 
generality, y ^ x and y ^ N and y ^ Then Ay : B. C'[x\A^] = Ay : B[x\iV]. C'[x\A^]. 
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By induction hypothesis, 'tlj{B[x\N]) = tp{B)[x\(f{N)] and V’(C'[a;\-^]) = '^{C)[x\ip{N)]. 
Therefore 


■ipiAlxXN]) = Ily:ilj{B)[x\(p{N)].ilj{C)[x\<f{N)] 
= Ilx:'ijj{B).ilj{C)[x\(p{N)] 

= ^{Ilx:B.C)[x\ip{N)] 


► Lemma 5.11. 

1 . If M — >br N then ip(M) — ip(N) 

2. IfA^f!nBtheni^{A)^*^fj{B) 


◄ 


Proof. By induction on M or A. We show the base cases. 

H Case M = (Ax: Ai.Mi) Ni, N = Then i^(M) = (Ax: 'ip(Ai). ip(Mi)) ip(Ni). 

Therefore ^p(M) — (p(Mi)[x\ip(Ni)] which is equal to (f(Mi[x\Ni]) by Lemma 
H Case ^ = Es s, B = Us- Then ip(A) = s = 'f’(B). 

H Case ^ (ng^s^g^ Ai Bi), B = Ax:esi Ai. (Bix). Then 


5.10 


if (A) = (Aa.A[3.Ax\a.fix)y}(Ai)ip(Bi) 

—>*p Ax-.ip(Ai).ip(Bi)x 
= ifiJix'.Ai.Bix) 

>■ Lemma 5.12. 

1 . If M =pR N then <f(M) ‘f(N) 

2 . If A =pR B then if (A) if(B) 

Proof. Follows from Lemma [ 5.111 ◄ 

Because the forward translation of contexts does not introduce any type variable, we define 
the following restriction on contexts. 

► Definition 5.13 (Object context). We say that F is an object context if F F^n/s A : Type 
for all X : A e F. If F = (xi : Ai,... ,Xn : An) is an object context, we define i/'(F) as 
(xi : if(Ai ),... ,x„ : if(An)). 

► Lemma 5.14. For any AIl~ / S object contextT and terms M,A: 

1 . If WFs(T) then WFxs^ (if (T)). 

2. IfF Fah/s M : A: Type then if(F) Fxs* f{M) : if (A). 

3. IfF Fah/s a : Type then if(F) Fas* if(A) : s for some sort s € S*. 

Proof. By induction on the derivation. The details of the proof can be found in the Ap¬ 
pendix. ◄ 


5.3 Reduction to AS* 

In order to show that AS* is a conservative extension of AS, we prove that / 1 -reduction at the 
level of T terminates. A straightforward proof by induction would fail because contracting 
a T-level / 1 -redex can create other such redexes. To solve this, we adapt Tait’s reducibility 
method [TS]. The idea is to strengthen the induction hypothesis of the proof by defining a 
predicate by induction on the type of the term. 
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► Definition 5.15. The predicate T ^5 M : A is defined as WFAs(r) and T Fas* M : A : s 

for some sort s and: 

H if s 7^ r or A = s' for some s' G S then T \=s M : A iff M — M' and A — A' for 
some M',A' such that T \-\s M' : A', 

H if s = T and A = Ila; : B.C for some B,C then T \=s M : A iff for all N such that 
r hs r hs MIV : C[x\N]. 

Note that recursive definition covers all cases thanks to Theorem 12.71 To show that it is 

well-founded, we define the following measure of A. 

► Definition 5.16. If WF;^s(r) and F \-\s* ^ ■ s then HriA) is defined as: 

'Hr(A) = 0 if s 7^ T 

'Ht{s') = 0 if s = r 

nr(nx:B.C) = l + max{nr{B)+nr{C)) if s = r 

► Lemma 5.17. IfT,x:B Fas* C : t and F Fas* N : B then 'HTiC[x\N]) = 'Ht{C). 

Proof. By induction on C. ◄ 

► Corollary 5.18. Definition \ 5 . 15 \ is well-founded. 

Proof. The measure T-Lr{A) strictly decreases in the definition. ◄ 

The predicate we defined is compatible with / 3 -equivalence. 

► Lemma 5.19. IfT ^s M : A and F Fas* M' : A and M =p M' then F |=s M' : A. 

Proof. By induction on the height of A. 

H If s yf T or A = s' for some s' G S then AI — y*^ M" and A — y*p A' for some AI",A' 
such that F Fas M" : A'. By confluence and subject reduction, M' — y*p M"' such that 
F Fas M'" : A'. 

H If s = r and A = Ila; : B. C for some i 3 , C then for all N such that F ^s N : B, 
F ^s MN : C[a;\iV]. By induction hypothesis, F ^s M' N : C'[a;\iV]. Therefore 
T\^S M' -.Ax-.B.C. ◄ 


► Lemma 5.20. IfT ^s ^ '■ ^ o,nd F Fas* ■ s and A =p A' then F ^s M : A'. 

Proof. By induction on the height of A. 

m If s yf T or A = s' for some s' G S then Al — y*^ M' and A — y*p A" for some M',A" 
such that F Fas M' : A". By conversion, F Fas* M : A', so by subject reduction 
F Fas* M' : A'. By confluence, subject reduction, and conversion. A' — y*^ A"' such 
that F Fas M' : A'". 

H If s = r and A = Ha: : B. C for some B, C then for all N such that F ^s N : B, 
F |=s M N : C'[x\N]. By product compatibility. A' = Ha;: B'.C' such that B =,3 B' 
and C =p C. By induction hypothesis, F ^s M N : C"[a;\A^]. Therefore F ^s M : Ha:: 
B'.C". ◄ 

We extend the definition of the inductive predicate to contexts and substitutions before 

proving the main general lemma. 

► Definition 5.21. If WFAS*(r), WFas(F'), and cr is a substitution for the variables of F, 

then F' ^s o’ : F when F' |=s cr(a:) : cr(A) for all (a; : A) € F. 
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► Lemma 5.22. If r M : A : s then for any context F' and substitution a such that 

WFAs(r') and F' hs a : F, F' hs : a^A). 

Proof. By induction on the derivation of F Fas* M : A. The details of the proof can be 
found in the Appendix. ◄ 

► Corollary 5.23. Suppose WFas(F) and either F Fas A : s or A = s for some s G S. If 
F Fas* Af : A then M — M' such that F Fas M' : A. 

Proof. Taking a as the identity substitution, there are terms M' and A' such that M — 
M' and A — A! and F Fas M' : A'. If A = s G S' then A' = s and we are done. Otherwise 
by conversion we get F Fas M' : A. ◄ 


We now have all the tools to prove the main theorem. 


► Theorem 5.24 (Conservativity). For any T-type A of XS, if there is a term N such that 
||F|| Fau/s ^ ■ ll*4|lr then there is a term M such that F Fas Af : A. 


Proof. By Lemma 
reduction, 
Corollary 


5.3 


5.23 


l“An/s Ai 


there is a AH /S term N 
||A||p. By Lemmas 


5.14 


such that N 
and 


there is a term M such that ip{N ) 


5.9 


A 


N . By subject 

_ F Fas* f{N-) : A. By 

^ M and F Fas M : A. ◄ 


6 Conclusion 


We have shown that AII/S is conservative even when AS is not normalizing. Even though 
An/S can construct more functions than AS, it preserves the semantics of AS. This effect 
is similar to various conservative extensions of pure type systems such as pure type systems 
with definitions m pure type systems without the A-condition m, or predicative (ML) 
polymorphism US- Inconsistency in pure type systems usually does not come from the 
ability to type more functions, but from the possible impredicativity caused by assigning a 
sort to the type of these functions. It is clear that no such effect arises in An/S' because 


there is no constant ir. 


associated to the type of illegal abstractions. 


One could ask whether the techniques we used are adequate. While the construction 
of XS* is not absolutely necessary, we feel that it simplifies the proof and that it helps 
us better understand the behavior of An/^" by reflecting it back into a pure type system. 
The relative normalization steps of Section |5.3| correspond to the normalization of a simply 
typed A calculus. Therefore, it is not surprising that we had to use Tait’s reducibility 
method. However, our proof can be simplified in some cases. A PTS is complete when it is 
a completion of itself. In that case, the construction of S* is unnecessary. The translations 


(p{M) and V'(A) translate directly into XS, and Section 5.3 can be omitted. This is the case 
for example for the calculus of constructions with infinite type hierarchy (AC^) [17j . which 
is the basis for proof assistants such as Coq and Matita. 

The results of this paper can be extended in several directions. They could be adapted 
to show the conservativity of other embeddings, such as that of the calculus of inductive 
constructions (CIC) |3]. They also indirectly imply that An/S' is weakly normalizing when 
XS is weakly normalizing because the image of a XS term is normalizing |5]. The strong 
normalization of An/iF when XS is strongly normalizing is still an open problem. The 
Barendregt-Geuvers-Klop conjecture states that any weakly normalizing PTS is also strongly 
normalizing [H]. There is evidence that this conjecture is true [2], in which case we hope that 
its proof could be adapted to prove the strong normalization of An/S'. Weak normalization 
could also be used as an intermediary step for constructing models by induction on types in 
order to prove strong normalization. 
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Appendix 


Proof details 


► Lemma ( 5.14| ). For any AH /S object context T and terms M,A: 

1. IfWF^u/s(T) thenWFxs^{^p(T)). 

2. IfF l-;^n/s M : A: Type then tp{F) <f{M) : 'ip{A). 

3. IfF l->,n/s ^ : Type then iffF) h^s* ip{A) : s for some sort s G S*. 


Proof. By induction on the derivation. 
1. There are 2 cases. 


Empty 


WF(-) 

Then WF(-) trivially. 


Declaration 

WF(F) Fl->l:Type x^E,F 

WF(F,x:A) 

Then x ^ By induction hypothesis, WF('!/i(F)) and V'(T) F "fpiA) : s for some 

sort s G S*. Therefore WF(i/)(F),x : if{A)). 

2. There are 4 cases. 

Variable 

WF(F) (x:a1)gS,F 

F F X A 

By induction hypothesis, WF(i/;(F)). 

a. If X = s'l then A = and (si : S2) G A. Therefore V'(r) F si : S2. 

b. If X = 7rsjS2S3 then A = Fia : Msi-(esiO —>■ Ug^) —>■ Ug^ and (si, 52,53) G TZ. 
Therefore ^(F),q; : 5i, ,5 : a —>■ 52 F Fix a. (3 x : S3, which implies ip(F) F (Aa : 
si. A/3: (a —>■ S2). IIx :a. j 3 x) : Bo;: si. (a —>■ S2) —>■ S3. 

c. Otherwise (x : B) G F, so (x : 4’{A)) G //’(F). By induction hypothesis, WF(i/’(F)). 
Therefore '!/’(F) F x : if {A). 


Application 

FFM:nx:y4.B FFiV:A 


FF MN ■. B[x\N] 

By induction hypothesis, if{F) F (p{M) : Fix: if (A), if (B) and '0(r) F ip{N) : if (A). 
Therefore '!/’(F) F (p{M) ip{N) : if{B)[x\ip{N)]. By Lemma 5.10[ '(/'(T) F (p{M) (p{N) : 
if{B[x\N]) 


Abstraction 

F F IIx :A.B: Type F, x : A F M : B 
F F Xx:A.M : Ux:A.B 

By induction hypothesis, if{F) F Fix : if (A), if (B) : s and if{F),x : if (A) F ip{M) : 
if{B) for some sort s G S*. Therefore i/’(F) F {Xx :if{A). (p{M)) : Fix: if (A), if {B). 
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Conversion 

r h M : A r h B : Type A =pR B 


T'r M -.B 

By induction hypothesis, '0(r) 1“ ‘P{^) ■ '0(^) ^-nd V'(r) 1“ 4’{B) : s for some sort 
s G S*. By Lemma 5.10 '(/’(A) =p ^{B). Therefore '0(r) h ‘f{M) : 'tp{B). 


3. There are 4 cases. 

Variable 

WF(r) (a; : Type) G S,r 
r h a: : Type 

Since T is an object context we must have a; G S, so a; = for some Si G S. By 
induction hypothesis, WF('!/)(r)). By definition, there is a sort S 2 C S* such that 
(si : S2) G A*. Therefore tpiT) h Si : S2- 


Application 

FhM:na;:A.B F h TV : A 
F h TWTV : B[a;\TV] 

Since F is an object context and M N is not a /3-redex, we must have M = and 
Ha; : A. B = —> Type and TV : Us;^ for some si G S. By induction hypothesis, 

'0(F) h ip{N) : si. 


Product 

F h A : Type F, a: : A h i? : Type 
F h Ha; :A.B: Type 

By induction hypothesis, '0(F) h 0(A) : si and 0(F),a; : 0(A) h 0(iT) : S 2 for some 
sorts si,S 2 G S*. By definition, there is a sort S 3 G S* such that (si, 82 , 53 ) G TZ*. 
Therefore 0(F) h (Ha;:0(A). 0(5)) : S3. 


Conversion 

F h A : 5 F h 5 : Kind B =pR Type 
F h A : Type 

We must have B = Type. By induction hypothesis, 0(F) h 0(A) : s for some sort 
s G 5*. 


◄ 

► Lemma (|5.22|). IfT FaS" M : A : s then for any context F' and substitution a such that 
WFAs(r) and F' hs a : F, F' hs ^{M) : a{A). 

Proof. By induction on the derivation of F Fas* M : A. 

Sort 

WF(F) (si : S2) G A* 

F F Si : S 2 

Since S2 : s, we must have S2 yf r, so (si : S2) G A. Therefore F' Fas si : S2, which 
implies F' |=s si : S2. 

Variable 

WF(F) (a::A)GS,F 

Then F' \=s a{M) : cr(A) by definition of F' ^s o' : F. 
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Application 

Th M -.Ux-.A.B ThN:A 
T\- MN : B[x\N] 

Without loss of generality, x ^ F', so cr(i?[a;\A^]) = cr(i?)[x\cr(-/V)]. By induction hypoth¬ 
esis, r' ^5 <t{M) : \ix-.a{A).a{B) and F' |=5 cf{N) : a{A). 

1. If F Fas* IIx : A. B : ^ t then F Fas* A : si and T,x : A Fas* B : S 2 for some 

Si,S 2 such that (si, 52 , 33 ) F S, which also means that F Fas* : S 2 ^ t. By 

induction hypothesis, a{M) —>*p M', a{A) —)■ A' and ct{B) — B' such thatF' Fas* 
M' : Ax:A'.B' and a{N) — N', a(A) —>*p A' such that F' Fas* ■ A". By 
confluence and subject reduction, we can assume A' = A". Therefore F' Fas* M' N' : 
B'[x\N']. Since B[a;\iV] B'[x\N'], this implies T' M N : S[x\iV]. 

2. Otherwise F F Ax: A. B : t. By definition, F' \=s <j{M) a{N) : CT(i?)[x\cr(-/V)]. 


Abstraction 

r,x:AhM:B ThUx:A.B -.s 

F F Xx:A.M : Ux:A.B 
Without loss of generality, x ^ F'. 


1. If s yf r then by induction hypothesis, a{A) —>*p A' and cr{B) — B' such that 

F' Fas Ax: A'. B' : s. By inversion, F' Fas A' : si for some Si yf t , so F ^s A : si, 
which implies F',x : A' ^s ^ A). By induction hypothesis, a{M) — M' 

and a{B) —>*p B" such that F',x : A' Fas AI' : B". By confluence and subject 
reduction, we can assume B' = B". Therefore F' Fas (Ax: A'. M') : IIx: A'. B', which 
implies F' |=s (Ax: A. M) : IIx: A. B. 

2. If s = r then for all N such that F' |=s N : a{A), we have F' ^s {<^,Al/x) : (F,x : 
A). By induction hypothesis, F' |=s {a,N/x){M) : {a,N/x){B). Since x ^ F', we 
have {<7 ,N/x){M) = a{M)[x\N] and {a,N/x){B) = a{B)[x\N]. Therefore F' ^s 
a{M)[x\N] : tT(_B)[x\fV]. By Lemma 5.19| F' |=s {{Xx:a{B). a{M)) N) : tT(i3)[x\-/V]. 
Therefore F' |=s {Xx:a{B). cr{M)) : IIx: A. B. 


Product 

F Fas A : si F, x : A Fas B : S2 (si, S 2 , S 3 ) € TZ* 

F Fas Fix: A. B : S 3 

Without loss of generality, x ^ F'. Since S3 : s, we must have S3 yf t, so (si, S2, S3) F TZ, 
which also means si yf t and S2 yf t. By induction hypothesis, cr(A) —A' such that 
F' Fas A' : si. This means that WFas(F',x : A') and F',x : A' ^s (o’,x/x) : (F,x : A). 
By induction hypothesis, a{B) — B' such that F' Fas B' : S2- Therefore F' Fas (Ax: 
A'. B') : S3, which implies F' ^s (Fix: A'. B') : S3. 


Conversion 
F F M : A 


F F B : s 


A=nB 


V\~ M :B 

By induction hypothesis, F' ^s cr(M) 
By Lemma 5.20 F' ^s o'{M) : cr(A). 


ct(A). Since A B, we have cr(A) cr{B). 











